Facebook ups login security, outs hacker with 1.5M accounts

It turns out the person who claimed to be selling 1.5 million Facebook logins …

Facebook says it has discovered the identity of "Kirllos," the hacker who claimed to be selling 1.5 million Facebook logins on the black market last month. It turns out that Kirlios didn't quite have as many accounts as he originally claimed, though he did manage to sell a number of credentials to third parties. Facebook has also updated its login system to make it more secure for users who want to make sure they maintain control of their accounts.

Facebook has not published Kirllos' identity, but says that he is based in Russia and the company has alerted local law enforcement to his activities. "We have determined Kirllos' identity through IP addresses, online accounts, and other information and believe that he's very likely a low-level actor," Facebook Spokesman Simon Axten told ComputerWorld.

Kirllos was apparently such a "low-level actor" that he had to inflate the number of accounts he had available. According to Axten, the hacker did have some credentials available, but the number of accounts Facebook found was "orders of magnitude less than what was reported." The company reset the passwords on the accounts they identified and notified users. Kirllos also appears to have disappeared from the Internet and has not responded to offers to buy more accounts.

This was likely just one of many reasons why Facebook decided to update its security settings in order to help users keep tighter control of their accounts. Users can now set up their accounts so they have to approve every device that accesses their Facebook logins. You can do this by going into Account Security under My Account and indicating that you want an alert anytime someone tries to log in from a device that hasn't yet been approved. On top of this, Facebook now asks for more information of someone trying to log in from an unfamiliar device.

This system is similar to the one used by ING Direct and other banking systems to help cut down on unauthorized logins, and Facebook claims it has already seen some "great results." We see potential in this feature (I already turned it on for my account), but it won't have much effect if the majority of users have no idea the setting exists. Time to start telling your friends and family members about their security settings again!